![\"Microsoft](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-stories-300x122.png\")
<\/p>\n<\/p>\n
[Editor\u2019s note: This content was written to highlight a particular event or moment in time. Although that moment has passed, we\u2019re republishing it here so you can see what our thinking and experience was like at the time.]<\/em><\/p>\n Improvements to Windows 11\u2014including the major Windows 11 2022 update from late last year\u2014are making it faster and simpler for our internal IT team at Microsoft to roll out Windows updates to our employees.<\/p>\n New tools and practices at Microsoft have made it easier to transform a multi-step and months-long process into something more centralized.<\/p>\n \u201cGiven how different teams manage our infrastructure, I didn\u2019t always have direct admin access for deploying updates and making policy changes as required, so I relied heavily on admins in different organizations to make those changes,\u201d says Markus Gonis, a service engineer and deployment lead with Microsoft Digital Employee Experience, our internal organization with an IT role that powers, protects, and transforms the company.<\/p>\n That took additional coordination. First, we had to plan out a deployment strategy for the update based on our environment and different types of device management (e.g., Domain-joined AD, Hybrid Domain-joined AD, and Azure AD-joined), including the creation and management of multiple deployment rings with thousands of devices and adjusting policy values to support each deployment. Timing for the deployment rings had to be carefully orchestrated so that they did not overlap and disrupt each other.<\/p>\n \u201cWe had to set up meetings, talk through the plan, and then coordinate with different people in several organizations to make things happen,\u201d Gonis says. \u201cIt was a massive juggling effort.\u201d<\/p>\n That\u2019s all changed now.<\/p>\n \u201cNow\u2014to deliver an update to the entire company\u2014all we have to do is set up Windows Update for Business deployment service<\/a>,\u201d Gonis says. \u201cWe add start and end dates, duration, and security groups for devices to be included and excluded from the deployment. Finally, we just need to add devices to their appropriate security groups based on the deployment plan, and we\u2019re all set. This lets me deploy major updates centrally to the entire company with greater accuracy, speed, and efficiency.\u201d<\/p>\n At a high level, Windows 11 enforces sets of functionalities that drive the environment to be secure by default. Windows 10 could do a lot by configuration, but not by default. Windows 11 starts us on that journey, and each release adds more protections.<\/p>\n \u2014Carmichael Patton, security architect, Microsoft Digital Security and Resilience team<\/p>\n<\/blockquote>\n Given the size and distribution of Microsoft, streamlining deployment updates into a single service has substantially transformed what used to be a cumbersome process. As a result, we can now get the latest experience and security features to our employees fast and with minimal effort.<\/p>\n [<\/em>Check out the latest features available in the Windows 11 2022 Update.<\/em><\/a> Discover the new Windows 11 security features designed for hybrid work.<\/em><\/a> Find out how Microsoft was able to quickly upgrade to Windows 11.<\/em><\/a>]<\/em><\/p>\n The Windows team\u2019s move to bring continuous innovation to Windows 11<\/a> is enabling Microsoft to deliver organizations, including Microsoft\u2019s internal IT team, new value on a more frequent basis.<\/p>\n However, the product team also understands the need for organizations like ours to have a stable environment and control. The Windows team has established a client policy to control select features introduced via servicing until they are released as part of the next annual feature update. The most recent February update to Windows 11 focuses on improving search in Windows, and the 2022 update from last year concentrates heavily on empowering users with the latest security features and configurations.<\/p>\n \u201cAt a high level, Windows 11 enforces sets of functionalities that drive the environment to be secure by default,\u201d says Carmichael Patton, a security architect with Microsoft Digital Security and Resilience team, the group responsible for protecting Microsoft so that we can deliver and operate secure products and services to our customers. \u201cWindows 10 could do a lot by configuration, but not by default. Windows 11 starts us on that journey, and each release adds more protections.\u201d<\/p>\n These new features include Windows Defender App Control (WDAC), which gives Microsoft, individuals, and businesses the ability to prevent scripting attacks while protecting users from running untrusted applications associated with malware.<\/p>\n Additional protections against malware, like hypervisor-protected code integrity (HVCI) and the Microsoft vulnerable driver block list, ensure that only validated code can be executed. This prevents cybercriminals from injecting malicious code or exploiting known vulnerable drivers.<\/p>\n The Windows 11 2022 Update adds several enabled-by-default identity and password protections to further enable hybrid work. This includes several hardware-backed protections to guard identities, protect against phishing, and further enhance single-sign on (SSO) password-less authentication using Windows Hello for Business.<\/p>\n The update also includes features that improve IT policy and compliance as well, including config lock: a feature that monitors and prevents configuration drift from occurring when users with local admin rights change settings.<\/p>\n All of this is great news internally at Microsoft, where keeping everyone safe and empowered is a top priority.<\/p>\n While a lot of attention is directed towards search improvements for users, the Windows 11 2022 update transformed things in a big way for our IT admins.<\/p>\n \u201cBy the end of the deployment in fall 2022, we reached 225,000 eligible devices or about 90 percent of the devices in our environment,\u201d Gonis says. \u201cWe were able to get the update on all those devices in a little under five weeks.\u201d<\/p>\n We\u2019re still adding new devices all the time, but as of March 2023, we now have 97 percent of all eligible devices at Microsoft loaded with Windows 11 and the 2022 update.<\/p>\n \u201cThere\u2019s a lot of excitement around our progress with Windows 11 and the update,\u201d Gonis says.<\/p>\n From an IT perspective, the entire deployment is now easier using Windows Update for Business polices in conjunction with the deployment service. It’s very smooth.<\/p>\n \u2014Markus Gonis, service engineer and deployment lead, Microsoft Digital Employee Experience<\/p>\n<\/blockquote>\n As with the initial deployment of Windows 11, the update downloads and installs in the background without interrupting our employees. Once installed, employees are prompted to restart or schedule a restart usually within 7 days to complete their update.<\/p>\n The background download and install phases have shortened to an average of 60 minutes for major updates. The restart phase, which is the part that actually impacts our employees, now averages around 20 minutes, a range that is shorter for smaller releases.<\/p>\n \u201cFrom an IT perspective, the entire deployment is now easier using Windows Update for Business polices in conjunction with the deployment service,\u201d Gonis says.<\/p>\n Before having access to this more modern approach using Windows Update for Business policies and the deployment service, which only requires devices connected to the internet, Windows feature updates used a traditional on-premises deployment. We deployed across eight deployment rings starting on specific days and with longer duration. This necessitated more testing both with the update\u2019s final build and the overall process while also requiring about a week to publish packages to distribution points around the world. Being more infrastructure intensive, this could potentially impact performance when too many devices were downloading an update locally depending on location.<\/p>\n The Windows Update for Business deployment service has an easy-to-use interface to set deployment start and end times including the duration for when devices will be offered the update. The service makes device calculations based on these variables and the total number of devices in the deployment. This has made it simple for us to quickly set up multiple deployments (e.g., updating Windows 11 and Windows 10 devices concurrently to their latest versions). After adding devices to security groups as appropriate, the service takes over.<\/p>\n Instead of updating many devices at once for each deployment wave (traditionally up to 50k devices two times a week), Windows Update for Business deployment service allows for an efficient, steady release. For the 2022 Update we chose a faster duration, which offered a random number of devices the update every 2 days based on the start and end dates of the deployment and total number of devices. This allowed for fewer devices to be offered the update more often and increased adoption by giving employees a larger window to install it based on the Windows Update for Business policies. The deployment service creates deployment rings for you, and that gives our Microsoft Digital Employee Experience team flexibility to address any issues if needed.<\/p>\n Furthermore, devices required to be exempt from an update, such as a device required for testing or development, are easily omitted without users continuously getting update notices.<\/p>\n \u201cIt\u2019s very smooth,\u201d Gonis says. \u201cWe really appreciate how much better all of this works now.\u201d<\/p>\n In just under five short weeks, Microsoft was able deploy the Windows 11 2022 Update to most users with Windows 11-eligible devices across the company. Aided by new tools, the update was the smoothest deployment in the history of the company, and it\u2019s only going to get more efficient.<\/p>\n \u201cThe next step is using Windows Update for Business deployment service as a single deployment strategy,\u201d Gonis says. \u201cIn the past, we needed to setup two different deployments based on device management: one for domain-joined devices in Active Directory and one for devices in Azure Active Directory.\u201d<\/p>\n Today, since most devices at Microsoft are Azure AD-joined and the remaining domain-joined devices are Hybrid AD or co-managed, both sets of devices can take advantage of Windows Update for Business deployment service for deployments.<\/p>\n \u201cWe no longer have to plan for multiple update strategies,\u201d Gonis says.<\/p>\n This will be further aided by other services, including Windows Update for Business reports<\/a>, which will give more information about individual device state and whether a device is ready to update. This culminates in using data to make better decisions and be more prescriptive.<\/p>\n If you take a step back, the big-picture benefit is that our employees now have a much-improved experience while also getting the latest security features and protections by default.<\/p>\n \u201cThe biggest uplift isn\u2019t from Windows 11 to the 2022 Update; it\u2019s from Windows 10 to Windows 11, which was relatively easy too,\u201d Patton says. \u201cEverything that comes after that is just part of the journey to protect users.\u201d<\/p>\n [Editor\u2019s note: This content was written to highlight a particular event or moment in time. Although that moment has passed, we\u2019re republishing it here so you can see what our thinking and experience was like at the time.] Improvements to Windows 11\u2014including the major Windows 11 2022 update from late last year\u2014are making it faster […]<\/p>\n","protected":false},"author":21,"featured_media":9925,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":true,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[1],"tags":[95,300,419],"coauthors":[138],"class_list":["post-9923","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-security","tag-windows","tag-zero-trust","program-ms-digital-stories","m-blog-post"],"jetpack_publicize_connections":[],"yoast_head":"\nNew Windows, same great experience<\/h2>\n
![\"Patton](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/03\/10463_image001-300x200.jpg\")
Deploying the Windows 11 2022 update at Microsoft<\/h2>\n
![\"Gonis](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/04\/10463_image002a-222x300.jpg\")
Having the right tools for the job<\/h2>\n
![\"Key](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways-300x74.png\")
<\/p>\n\n
![\"Related](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links-300x81.png\")
<\/p>\n\n